Data Protection legislation, namely the General Data Protection Regulations (“GDPR” - in Europe and UK) and the Protection of Personal Information Act (“POPIA” -in South Africa) governs the way in which personal information about you is held and processed. The following are some of the principles that the Company operates under (expanded and elaborated in the Company's internal POPIA manual and GDPR commitment (found as a hyperlink on the Company's website):
In order to fulfil individuals' contracts of employment, monitor sickness and performance, equal opportunity policies and otherwise administer the Company's business, we will use and process personal information relating to you which we have obtained during the course of your employment. Such information includes:
In most cases you will have provided such information.
In others the information has been provided by your
manager, other employees, external referees, or in the case of medical records, your doctor.
We hold this personal data about you confidentially and will only disclose it to others where there
is a need
to do so, e.g. to give information about your earnings to the Revenue.
No sensitive data such as information about your health, racial or ethnic origins, criminal
convictions, trade
union membership, political or religious belief will be divulged to a third party without your
permission, unless
we have a specific legal requirement to process such data.
It is important that personal data held is accurate. You are required to inform the Company if you believe that your personal data is inaccurate or untrue or if you are dissatisfied with the information in any way.
Under the legislation, you are entitled to have access
to certain personal data held about you. If you require
access, you should contact your Line Manager. The request should be made in writing specifying the
information required.
The information shall be provided as soon as reasonably practicable following receipt of the written
request,
or the provision by you of the additional information required by the Company for the purposes of
locating
any information, whichever is later.
For the purposes of this policy, a personal data breach
is any attempt at, or occurrence of, unauthorized
acquisition, exposure, disclosure, use, modification or destruction of personal and/or sensitive
data as
described in this policy. The breach protocol is meant to address security incidents involving any
and all
personal data held, collected, processed and/or stored by the Company, including personal data under
the
control or responsibility of an affiliated business or third party.
The Company shall ensure that, inter alia, all personal data breaches are reported to the Regulator,
investigated and contained within the Company or by the Company and in terms of this policy.
The following is an indication of the timelines necessary herein and to be followed by the Company
and/or its
Information Officer when responding to, investigating and reporting on any personal data breach
within the
Company:
5.1. Initial response to discovering personal data breach, or potential breach:
5.2. Immediate Response (0--1 Business Day):
5.3. Continuing Response (0-15+ days)
5.4. Initial Response: the Company must take proactive steps to ensure that any personal data breach or potential breach is identified as soon as reasonably possible. Once identified, the Company, through its IT department and Information Officer, must bring the personal data breach or potential breach to the attention of the necessary parties who will be responsible for containing the personal data breach or potential breach.
5.5. Immediate Response: the Company, its IT department and the Information Officer must, when a breach is discovered, conduct containment activities to stop additional information from being lost or disclosed, or to reduce the number of persons to whom personal information may reach. The Company may, over its areas of responsibility or collaboratively, take steps to attempt having lost/stolen/inappropriately disclosed information returned or destroyed. For instance, area managers may attempt to contain and control an incident by suspending certain activities or locking and securing areas of record storage; Human Resources may suspend employees as appropriate to prevent compromising behaviour; and the Information IT Department may shut down particular applications or third party connections, reconfigure firewalls, change computer access codes, or change physical access codes.
5.6. If applicable, staff members closest to the incident will determine the extent of the breach or potential breach by identifying all information (and systems) affected, and take action to stop the exposure. This may include:
This would most typically occur in instances of electronic system intrusion, exposed physical (e.g. medical) files or records or similar situations.
5.7. If an active cyber-insurance policy exists or the need is otherwise determined, the Company or its Information Officer may contact contracted third parties (cyber-insurance vendors or affiliates) for breach response services and resources to include forensics, investigation and response consulting, notification and call center services. Though recommended to occur as soon as possible after discovery, this can occur at any point as more information is obtained or the need is otherwise determined.
5.8. All documentation, investigation and initial and/or containment reports must be kept throughout the personal data breach protocol procedure and included in any report from the Information Officer to the Regulator in terms of section 22 of the POPI Act.
5.9. As more information is gathered, responsible staff will assess each personal data breach or potential breach to determine appropriate handling. This may involve the development and use of internal procedures by individual departments. For instance, while a minor and low risk incident may be assigned to and investigated by competent technicians within a department, the department may require that technician to escalate to management any incident that may damage the Company. The manager, in turn, may escalate the incident to the director, VP, or other level (subject to the Company's internal structure and/or organogram).
5.10. This may also involve activating alternate plans - for instance, Data Recovery Plans and/or any applicable alternative.
5.11. Additionally, responsible departments will assess each personal data breach to determine which parties should be included in communications and/or the further reporting of the personal data breach incident. For instance, the Company or Information Officer may grant certain access and permissions pertaining to cases to include area managers, directors, and vice-presidents unless circumstances exist that would preclude sharing information - for instance, if a conflict of interest exists; if sharing the information could compromise an investigation; or if the responsible manager (or a friend or family member of the responsible manager) is involved as an affected party, as a subject, or in other ways
5.12. Continued response and reporting to the Regulator: all efforts, including but not limited to the initial reporting; the containment and any containment plans; any further planning and proposed corrections; and/or record of any correspondence or notice sent to any of the Company's affected data subjects must be kept and form a material part of the final incident report submitted to the Regulator in terms of section 22 of the POPI Act.
5.13. After containment of the personal data breach and implementation of any necessary containment plan; interim plan or relief; correction plan; data recovery plan; and/or similar plan implemented in response to the personal data breach, the Company's Information Officer must prepare a written report to submit to the Regulator.
5.14. The aforementioned written report must contain all necessary and material information pertaining to the personal data breach, including but not limited, any supporting documentation, investigation outcomes and/or improvement plans. The report must indicate whether the breach was low, moderate or high risk and the extent of the personal data breach, including but not limited to any actual damages suffered; any damage or injury to affected data subjects; and any potential or further threat created by the personal data breach.
5.15. The Information Officer must further notify all affected data subjects of the personal data breach as soon as reasonably possible after discovery of the personal data breach, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the breach and to restore the integrity of the Company's information system. The notification must be done in writing and communicated to the data subject in one of the following ways:
5.16. The notification must provide the affected data subjects with sufficient information to allow the data subject to take protective measures against the personal data breach, including -
5.17. The Regulator may direct an Organisation to publicise, in any manner specified, the fact of any personal data breach or compromise to the integrity of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the breach.